Skip to content

Comments

Avoid division by zero in hybrid point encoding#15108

Closed
botovq wants to merge 0 commit intoopenssl:masterfrom
botovq:point_conversion
Closed

Avoid division by zero in hybrid point encoding#15108
botovq wants to merge 0 commit intoopenssl:masterfrom
botovq:point_conversion

Conversation

@botovq
Copy link
Contributor

@botovq botovq commented May 1, 2021

In hybrid and compressed point encodings, the form octet contains a bit
of information allowing to calculate y from x. For a point on a binary
curve, this bit is zero if x is zero, otherwise it must match the
rightmost bit of of the field element y / x. The existing code only
considers the second possibility. It could thus incorrecly fail with a
division by zero error as found by Guido Vranken's cryptofuzz.

This commit adds a few explanatory comments to oct2point. The only
actual code change is in the last hunk which adds a BN_is_zero(x)
check to avoid the division by zero.

Checklist
  • tests are added or updated

@openssl-machine openssl-machine added the hold: cla required The contributor needs to submit a license agreement label May 1, 2021
@botovq
Copy link
Contributor Author

botovq commented May 1, 2021

As mentioned in #15021, I am going to sign the CLA.

@romen romen self-assigned this May 1, 2021
@romen romen added branch: master Applies to master branch triaged: bug The issue/pr is/fixes a bug labels May 1, 2021
Copy link
Member

@romen romen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Thanks for also including a test!

@t8m t8m added the approval: done This pull request has the required number of approvals label May 3, 2021
@t8m
Copy link
Member

t8m commented May 3, 2021

Waiting for the CLA to be signed.

@botovq botovq force-pushed the point_conversion branch 2 times, most recently from 36ec123 to d4d606e Compare May 4, 2021 02:49
Copy link
Member

@romen romen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even better, good point @slontis!

Formally reapproved.

@openssl-machine
Copy link
Collaborator

24 hours has passed since 'approval: done' was set, but as this PR has been updated in that time the label 'approval: ready to merge' is not being automatically set. Please review the updates and set the label manually.

@t8m t8m closed this May 4, 2021
@t8m t8m reopened this May 4, 2021
@t8m t8m added approval: done This pull request has the required number of approvals and removed approval: done This pull request has the required number of approvals labels May 4, 2021
@t8m
Copy link
Member

t8m commented May 4, 2021

Have you submitted the CLA already?

@t8m
Copy link
Member

t8m commented May 4, 2021

This will need make update after rebasing before merge as it touches FIPS module sources.

@botovq
Copy link
Contributor Author

botovq commented May 4, 2021 via email

@romen
Copy link
Member

romen commented May 4, 2021

This will need make update after rebasing before merge as it touches FIPS module sources.

@t8m Does this mean that we need to rescope what is considered beta1 blocker?
Up till now this sounded like a bug fix, so something that could be fixed even during the beta period (and back ported to 1.1.1).
Does the new FIPS source checking mechanism change this?

@t8m
Copy link
Member

t8m commented May 4, 2021

Does the new FIPS source checking mechanism change this?

I do not think so. We never said that post beta1 no FIPS relevant source changes are allowed. I suppose we might want to restrict changes to them some time later during the beta cycle but it should be definitely allowed for some while after beta1.

@t8m
Copy link
Member

t8m commented May 4, 2021

Do I need to do 'make update' or is this something the person who merges will do?

I think it can be done by the person who merges but of course feel free to do it yourself if you want. It should also fix the check_update test failure.

@openssl-machine
Copy link
Collaborator

24 hours has passed since 'approval: done' was set, but as this PR has been updated in that time the label 'approval: ready to merge' is not being automatically set. Please review the updates and set the label manually.

@kaduk
Copy link
Contributor

kaduk commented May 9, 2021

it might take a week or two before I get access to a printer or scanner.

I know that people with neither have been able to do some kind of electronic-only thing in the past, but I don't handle CLA processing so I don't know the details of how :(

@romen romen closed this May 9, 2021
@romen romen reopened this May 9, 2021
@openssl-machine openssl-machine removed the hold: cla required The contributor needs to submit a license agreement label May 9, 2021
@romen
Copy link
Member

romen commented May 9, 2021

@botovq I will deal with the make update to update the FIPS checksum during merge, as soon as the other tests are finished.

romen pushed a commit that referenced this pull request May 9, 2021
In hybrid and compressed point encodings, the form octet contains a bit
of information allowing to calculate y from x.  For a point on a binary
curve, this bit is zero if x is zero, otherwise it must match the
rightmost bit of of the field element y / x.  The existing code only
considers the second possibility. It could thus incorrecly fail with a
division by zero error as found by Guido Vranken's cryptofuzz.

This commit adds a few explanatory comments to oct2point. The only
actual code change is in the last hunk which adds a BN_is_zero(x)
check to avoid the division by zero.

Fixes #15021

Reviewed-by: Nicola Tuveri <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from #15108)
romen pushed a commit that referenced this pull request May 9, 2021
Reviewed-by: Nicola Tuveri <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from #15108)
romen added a commit that referenced this pull request May 9, 2021
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from #15108)
@romen romen closed this May 9, 2021
@romen romen force-pushed the point_conversion branch from d4d606e to f0f4a46 Compare May 9, 2021 12:21
@romen
Copy link
Member

romen commented May 9, 2021

Merged to master with:

  • 56f0237 Avoid division by zero in hybrid point encoding
  • e70abb8 Test oct2point for hybrid point encoding of (0, y)
  • f0f4a46 FIPS checksums update

Thanks @botovq for the contribution and @guidovranken for raising the issue!

@romen
Copy link
Member

romen commented May 9, 2021

@botovq I tried force pushing to your branch to see if GitHub would recognize the PR as merged rather than closed.

Unfortunately I pushed to master first, so the test was not conclusive.
Sorry for the noise!

@richsalz
Copy link
Contributor

access to a printer or scanner

If you have a digitized copy of your signature already, free PDF tools can add it into an existing PDF. Or word-processing programs can also do it. That might helps.

@botovq
Copy link
Contributor Author

botovq commented May 10, 2021 via email

devnexen pushed a commit to devnexen/openssl that referenced this pull request Jul 7, 2021
In hybrid and compressed point encodings, the form octet contains a bit
of information allowing to calculate y from x.  For a point on a binary
curve, this bit is zero if x is zero, otherwise it must match the
rightmost bit of of the field element y / x.  The existing code only
considers the second possibility. It could thus incorrecly fail with a
division by zero error as found by Guido Vranken's cryptofuzz.

This commit adds a few explanatory comments to oct2point. The only
actual code change is in the last hunk which adds a BN_is_zero(x)
check to avoid the division by zero.

Fixes openssl#15021

Reviewed-by: Nicola Tuveri <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from openssl#15108)
devnexen pushed a commit to devnexen/openssl that referenced this pull request Jul 7, 2021
Reviewed-by: Nicola Tuveri <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from openssl#15108)
devnexen pushed a commit to devnexen/openssl that referenced this pull request Jul 7, 2021
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from openssl#15108)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approval: done This pull request has the required number of approvals branch: master Applies to master branch triaged: bug The issue/pr is/fixes a bug

Projects

None yet

Development

Successfully merging this pull request may close these issues.

EC_POINT_point2oct/EC_POINT_oct2point asymmetry (fixed in LibreSSL)

7 participants